The discussion of container security is completely lacking any mention of userns remapping, which is an excellent container security feature that's extremely easy to enable and use compared with AppArmor/SELinux (and would work extremely well in parallel with them).That way if someone does manage to break out of a container they have the privileges of a dummy user that doesn't exist on the host, so unless they are using a kernel exploit, they don't have any privileges to be able to do any damage.
https://docs.docker.com/engine/security/userns-remap/
No comments yet.